In recent public testimony before the HIT Policy and Standard Committees, Cerner CEO Neal Patterson called for mandated “directed query” messages so patients can authorize release of information, and a fix to the patient identifier problem. In response, Deborah Peel, M.D., founder of the Patient Privacy Rights organization, generally praises Patterson’s positions but points out some flaws in his identifier solution:

Patient Privacy Rights applauds Neal Patterson's call for "universally available" directed push and directed query. Universal availability includes the patient and any agent the patient selects as allowed by HIPAA.

Universal availability can best be achieved by allowing the physician and patient to control the endpoints for directed exchange. Anything less, such as technical restrictions on endpoints at the institutional or EHR vendor level, dilute and frustrate the physician-patient relationship and can result in duplicate testing, delayed follow-up and reduced ability to detect medical errors.

At the January 29 HIE hearing, Patient Privacy Rights called for ONC guidance to make clear that Direct protocols, as required in Stage 2 Meaningful Use, give physicians the choice to accept self-signed patient certificates as a practical way to ensure that all patient-directed endpoints are accessible on the nationwide health information network.

We also applaud Mr. Patterson's testimony that: "As the volume of data interchange increases, we cannot continue to rely on statistical matches based on a highly constrained set of data elements," and calls for a shift to voluntary use of patient identifiers.  However, Patient Privacy Rights believes that identifiers that are strongly linked to the patient such as driver's license or biometrics are not voluntary because the patient cannot choose different identifiers in different circumstance in order to protect privacy.

It is critical to use IDs that protect privacy, not eliminate privacy. Truly voluntary patient identifiers should be patient-selected in the way we select among credit cards or email addresses in privacy-sensitive situations.  For this reason, Patient Privacy Rights’ testimony at the Jan 29 hearings called for use of Direct secure email addresses, including addresses with self-signed certificates, as the preferred method of patient identification across institutions.

Patients that do not wish to use a Direct email should be allowed to use other credentials that are verifiably under their control and globally unique if these arise in the future as a result of federal efforts such as the National Strategy for Trusted Identities in Cyberspace.

The right of patients to receive care anonymously is important and should not be arbitrarily restricted by health information exchange technology. This right is recognized in HIPAA when patients pay cash for their care and this right should not be undercut by health information sharing beyond the institution in situations such as e-prescribing. Patients seeking anonymous care within the limits of public health regulations must be allowed to share information on the network using the patient identifiers that they select if the identifier is acceptable to the other parties.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access